Portable Sessions with JSON Web Tokens (RailsConf 2017)

Transcript

1. JSON Web Tokens Lance Ivy

2. The Next Big Thing

3. Introducing: FacePage it me ******

4. 2003 - professionally unpaid Lance Ivy @cainlevy https://cainlevy.net

5. 2003 - professionally unpaid 2004 2005 2006 - paid Rails

   dev 2007 - first RailsConf 2008 - KICKSTARTER Lance Ivy @cainlevy https://cainlevy.net

6. 2003 - professionally unpaid 2004 2005 2006 - paid Rails

   dev 2007 - first RailsConf 2008 - KICKSTARTER 2009 2010 2011 2012 2013 2014 2015 2016 2017 - Empatico, Keratin AuthN Lance Ivy @cainlevy https://cainlevy.net

7. FacePage has a Rails backend of faces (and pages)

8. We need faces on the go. It’s API time. APP

   API

9. API time? APP API

10. API time! APP API

11. What’s happening here? APP API cookies! tokens!

12. Users Faces Pages Gateway What could possibly go wrong? cookies!

    tokens! Rails?

13. What even is logging in?

14. Login starts here it me ******

15. A wild cookie appears it me ******

16. What cookies are, technically Response HTTP/1.0 200 OK Content-type: text/html

    Set-Cookie: <...> Request(s) GET /profile HTTP/1.1 Host: www.example.org Cookie: <...>

17. How we think of cookies

18. How we should think of cookies

19. A Rails Session Cookie BAhJIjd7InVzZXJfaWQiOjEyMzQ1Njc4OTAsImNzcmZfdG9rZW4iOiJyYW5kb21zdH JpbmcifQY6BkVU--26a4bf60c5baaac31cee9d80606506504b71e5ce MESSAGE--SIGNATURE

20. A Rails Session Cookie BAhJIjd7InVzZXJfaWQiOjEyMzQ1Njc4OTAsImNzcmZfdG9rZW4iOiJyYW5kb21zdH JpbmcifQY6BkVU--26a4bf60c5baaac31cee9d80606506504b71e5ce { “user_id”: 1234567890, “csrf_token”:

    “randomstring” } signature

21. Cookies carry secure messages securely signed message user_id: 12345 signed

    message user_id: 12345

22. How about the API? ? ?

23. An API token protocol Request(s) GET /profile HTTP/1.1 Host: www.example.org

    Authorization: Bearer randomstring Response HTTP/1.0 200 OK Content-type: text/json {“token”: “randomstring”}

24. {“token”: “randomstring”} Authorization: randomstring user_id token 1234567 randomstring ... ...

    Connecting a token to a user

25. Rails Cookie Opaque Token Header Cookie Authorization Contents structured random

    string Security crypto query What We’ve Learned

26. JSON Web Tokens

27. A JSON Web Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2p3dC5le GFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vYXBwLmV4YW1wbGUuY29tIiwic3ViIjo iMTIzNDU2Nzg5MCJ9.CE8LtdW4ViOMLGx0LcZwCKaPmmdYIAvlBtTsrjsWXv4 HEADER.MESSAGE.SIGNATURE

28. A JSON Web Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2p3dC5le GFtcGxlLmNvbSIsImF1ZCI6Imh0dHBzOi8vYXBwLmV4YW1wbGUuY29tIiwic3ViIjo iMTIzNDU2Nzg5MCJ9.CE8LtdW4ViOMLGx0LcZwCKaPmmdYIAvlBtTsrjsWXv4 { “alg”: “HS256”,

    “typ”: “JWT” } { “iss”: “https://jwt.example.com”, “aud”: “https://app.example.com”, “sub”: “1234567890” } signature

29. Verification Claims iss - issuer aud - audience iat -

    issued at exp - expiration Common JWT Claims Payload Claims sub - subject ??? - you decide

30. A JSON Web Token is like an ID card The

    Internet Name: It Me Address: 123 St Here, There Expires: 2038-01-19 Born: 1970-01-01 It Me official

31. A JSON Web Token is like an ID card The

    Internet Name: It Me Address: 123 St Here, There Expires: 2038-01-19 Born: 1970-01-01 It Me official issuer subject expiration issued at security

32. 1. Is it from a recognized authority { “iss”: “https://issuer.example.com”

    } Verifying a JSON Web Token

33. 1. Is it from a recognized authority 2. Is it

    intended for me { “iss”: “https://issuer.example.com”, “aud”: “https://app.example.com” } Verifying a JSON Web Token

34. { “iss”: “https://issuer.example.com”, “aud”: “https://app.example.com”, “exp”: 1492799700 } 1. Is

    it from a recognized authority 2. Is it intended for me 3. Has it expired Verifying a JSON Web Token

35. 1. Is it from a recognized authority 2. Is it

    intended for me 3. Has it expired 4. Is it a forgery { “iss”: “https://issuer.example.com”, “aud”: “https://app.example.com”, “exp”: 1492799700 } signature Verifying a JSON Web Token

36. Verifying a JSON Web Token 1. Is it from a

    recognized authority 2. Is it intended for me 3. Has it expired 4. Is it a forgery 5. Was it generated before or after that time we changed our secret after discovering we’d published it on GitHub ... { “iss”: “https://issuer.example.com”, “aud”: “https://app.example.com”, “exp”: 1492799700, “iat”: 1492796100 } signature

37. Practical JWT

38. Problem 1: Two Systems Cookies & Tokens • Two identities

    • Two headers • Two authentication systems JSON Web Tokens

39. Rails Cookie Opaque Token JSON Web Token Header Cookie Authorization

    either Contents structured random string structured Security crypto query crypto Problem 1: Two Systems

40. Cookie Auth with JSON Web Tokens JSON Web Token sub:

    12345 JSON Web Token sub: 12345

41. API Auth with JSON Web Tokens {“token”: <JWT>} Authorization: <JWT>

42. Problem 1: Two Systems Cookies & Tokens • Two identities

    • Two headers • Two authentication systems JSON Web Tokens • One identity • Two headers • One authentication system

43. Problem 2: API Performance Opaque Tokens SELECT user_id FROM api_tokens

    WHERE token = ? JSON Web Tokens • Claims • Cryptography

44. Problem 2: API Performance Opaque Tokens SELECT user_id FROM api_tokens

    WHERE token = ? Limiting factor: network JSON Web Tokens • Claims • Cryptography Limiting factor: CPU

45. Problem 3: Shared Auth ActionDispatch::Session::CookieStore • Rails-specific solution • Optimized

    for browser cookies • Optimized for majestic monoliths JSON Web Tokens

46. Problem 3: Shared Auth ActionDispatch::Session::CookieStore • Rails-specific solution • Optimized

    for browser cookies • Optimized for majestic monoliths JSON Web Tokens • Libraries in 20+ languages • Decoupled from cookies • Ready for distributed architectures

47. Problem 4: Shared Secrets Managing Secrets • Config management system

    • Manual copy+paste • Extended attack surface JSON Web Tokens

48. Problem 4: Shared Secrets Managing Secrets • Config management system

    • Manual copy+paste • Extended attack surface JSON Web Tokens • RSA signatures • Publish public keys via JSON Web Keys • Fetch, cache, and verify

49. Problem 5: Password Resets Database-stored Nonce • Generate and save

    token • Send token in email • Query list of tokens for user_id • Detect reset and regenerate token JSON Web Tokens

50. A Password Reset JWT { “iss”: “https://app.example.com”, “aud”: “https://app.example.com”, “exp”:

    1492799700, “iat”: 1492796100, “sub”: 82716 }

51. A Password Reset JWT { “iss”: “https://app.example.com”, “aud”: “https://app.example.com”, “exp”:

    1492799700, “iat”: 1492796100, “sub”: 82716, “scope”: “password_reset” }

52. A Password Reset JWT { “iss”: “https://app.example.com”, “aud”: “https://app.example.com”, “exp”:

    1492799700, “iat”: 1492796100, “sub”: 82716, “scope”: “password_reset”, “lock”: 1492814165 // users.password_changed_at }

53. Problem 5: Password Resets Database-stored Nonce • Generate and save

    token • Send token in email • Query list of tokens for user_id • Detect reset and regenerate token JSON Web Tokens • Generate token • Send token in email • Verify JWT and extract “sub” • Compare “scope” • Compare “lock” • Detect reset and record timestamp

54. JSON Web Tokens Problem 6: Email Conversion Email to Login

    Conversion • Send email with call-to-action • Confront user with login wall • Instrument conversion rates • Watch dropoff

55. Problem 6: Email Conversion Email to Login Conversion • Send

    email with call-to-action • Confront user with login wall • Instrument conversion rates • Watch dropoff JSON Web Tokens • Include expiring JWT in call-to-action URL • Include “scope” claim • Verify “scope” claim along with JWT • User is logged in as normal, on any device

56. Problem 7: Application Complexity Too Many Responsibilities • Application contains

    auth and account management code. • User god model JSON Web Tokens

57. Problem 7: Application Complexity Too Many Responsibilities • Application contains

    auth and account management code. • User god model JSON Web Tokens • Separate the issuer and audience • Separate accounts from users (1:1) • Enjoy benefits of smaller codebase

58. Keratin AuthN Modern, open source, website authentication backend. https://keratin.tech

59. In Conclusion

60. Takeaways JWTs solve problems you have right now. JWTs have

    advanced features for tomorrow’s problems. Learn by doing.

61. Lance Ivy @cainlevy https://keratin.tech https://cainlevy.net